www.xybion.com

Spreadsheet ValidationRumors, Reality,

& RisksLive Webinar

www.xybion.com

Xybion Corporation Fast Facts

Founded in 1977Privately Held, NMSDC Certified MBE

R&D SolutionsGRC/BPM SolutionsEnterprise Asset and Content Management Services & Solutions

NJ and PA Locations in USQuebec City, CanadaGermanyIndia

Innovative Development & Testing COE In IndiaDelivers Quality Testing & Development ServicesInternal Product Development & Support

Lowering Total Cost of OwnershipDelivering Enterprise Products, Services, and Solutions That Power Innovation & Efficiency

Corporate

Our Products

Global Locations

Our Global Services

Value Proposition

www.xybion.com

Xybion Offers Comprehensive Industry Solutions for major Enterprise Processes under one roof, lower Total Cost Of Ownerships through validated software and services implemented through a global hybrid resource model based in US. Canada and India.

GRC

Total Preclinical

Quality Management

ECM Migration & Consolidation

ECM Synchronization

CAPAAudit Mgt

Incident Mgt

Change Control

NCDoc Mgt

Automated Migration

Bulk Consolidation

Metadata Consolidation & Transformations

Repository Synchronization & Replication

Vivarium Management and Veterinary Care

Research & Safety Study Management

Internal Controls

IT Governance

Risk Mgt

LMS PMO

Complaint Mgt

EAM EAM SoftwareEAM Professional

ServicesEAM Custom Development

Validation & Verification Services

Validation & Testing

Software Testing Services

www.xybion.com

About the speaker

Harry Huss has over 25 years of experience in the pharmaceutical industry. He is currently Executive Director, Brandywine Compliance Consulting, LLC, and has held positions as Senior Director Compliance Policy & Program Support Services, Charles River Laboratories, Inc., Associate Director of Computer Validation Quality Assurance, Merck & Company, Inc., and Regulatory Compliance Manager, SmithKline Beecham, Inc. Harry has a M.S. degree in Clinical Microbiology from Thomas Jefferson University, and B.S. degrees in Biology and Medical Technology from Millersville University and Bryn Mawr respectively. He has provided a wide variety of computer validation and Part 11 presentations at professional meetings, provided computer validation training for the FDA, authored the Master Validation Plan for FDA’s National Center for Toxicological Research (NCTR), and published numerous scientific and regulatory compliance articles. Harry is a member of the Drug Information Association Validation Core Committee as well as an original and current member of the Society of Quality Assurance Computer Validation Initiatives Committee (CVIC).

www.xybion.com

Agenda

• Introduction• Rumors• Realities• Risks • Summary• Questions & Discussion

www.xybion.com

Spreadsheet Validation: 3 “R’s”

Rumors Reality

Risks

www.xybion.com

Rumors

www.xybion.com

Rumor #1

• The FDA has indicated that commercially available spreadsheets cannot be adequately validated, and therefore should not be used to support regulated activities.

• The FDA has not indicated that spreadsheets, or any other category of computerized systems, should be excluded from supporting regulated activities.

www.xybion.com

Rumor #2

• The FDA has indicated that due to the widespread use of commercial spreadsheets these applications are deemed to be accurate and reliable, and therefore do not require any further validation by the end user.• The FDA has not exempted spreadsheets, or

any other category of computerized system, from compliance with applicable regulations, when these systems are used to support regulated activities.

www.xybion.com

Rumor #3

• The FDA has indicated that an end user of spreadsheet systems can employ the “calculator rule” to avoid validation, conducting verification of spreadsheet arithmetic calculations using a handheld calculator.

www.xybion.com

Rumor #3 (cont.)

• The FDA does not have a “calculator rule”, exempting spreadsheet validation compliance requirements.

• A handheld calculator could be used as part of the spreadsheet validation process, to verify the accuracy of spreadsheet calculations

• Required validation controls and testing are broader than only arithmetic accuracy.• system security, audit trail function, data input/output,

e-records and e-archival criteria, administrative controls, configuration management controls, etc.

www.xybion.com

Rumor #4

• The FDA has indicated that a company can avoid validation of spreadsheet systems by documenting a risk assessment which states that due to the widespread use of spreadsheet systems, the risk to regulated data created by, or entered into, these spreadsheets is low, and therefore validation of current and future uses of spreadsheet systems will not be required.

www.xybion.com

Rumor #4 (cont.)• FDA has stated repeatedly that risk assessment

is not an alternative to compliance.• FDA has indicated that computerized systems

must be validated for their intended use.• Risk assessment can be employed to

determine:• relative criticality of a system• level of testing needed for individual requirements • level of mitigation/remediation necessary for potential

test script failures• BUT, applicable regulatory requirements remain as

requirements.

www.xybion.com

Reality

www.xybion.com

Reality• FDA 483 and Warning Letter citations for

spreadsheets are more numerous than other categories of computerized systems. There are probably 3 reasons that findings related to spreadsheets are more common:• Large number of spreadsheets• Lack of management support for spreadsheet

validation• FDA investigators and QA auditors know that

spreadsheet systems are often not well controlled (validated), and the spreadsheet applications often have design deficiencies related to requirements for security and audit trails.

www.xybion.com

“Basic” Reality • FDA and other international regulatory agencies

have requirements for validation of computerized systems used to support regulated activities.

• Validation of computerized systems is commonly defined as, documented evidence which provides a high degree of assurance that a computerized system will operate accurately and reliably to its predefined specifications (requirements) and quality attributes.

• A spreadsheet application running on a desktop or laptop computer is a computerized system.

• A spreadsheet used to support regulated activities must be validated for its intended use.

www.xybion.com

“Harsh” Reality• As with most obligate regulatory requirements,

there are no real shortcuts• There are no hidden industry secrets that allow

avoidance of compliance• There is no risk assessment approach which

trumps regulations• During a regulatory inspection, either a

spreadsheet system will have documentation which provides adequate assurance of system accuracy, reliability, and compliance with applicable regulatory “quality attributes” (audit trail, security, etc.)….or adequate documentation will not be available.

www.xybion.com

Reality Efficiencies

• Have a defined process for computerized system validation (including spreadsheets). Nothing saves as much money in the area of validation as having a process which your employees can follow for all computerized systems.

• Don’t start from scratch… plagiarize, plagiarize, and then plagiarize some more.

• Don’t try to validate the spreadsheet program…you won’t be successful.

www.xybion.com

Risks

www.xybion.com

Risks

• The primary risk associated with spreadsheets relates to business continuity

• Will these spreadsheets provide accurate data? • Will these spreadsheets adequately protect data

from being compromised? • The almost infinite configurability and limitless

uses of spreadsheets make these products powerful business tools, but this flexibility also opens the door to bad things happening.

www.xybion.com

Risks• If a company fails to validate spreadsheets used

for regulated activities, then that company is inviting audit report findings or regulatory actions

• With numerous 483 and Warning Letter findings related to spreadsheets, it is clear that FDA investigators are looking at spreadsheet controls and have expectations that these systems be validated for their intended use.

www.xybion.com

Risks• The ease of spreadsheet distribution and

installation presents regulatory control challenges.

• Wide distribution, broad end user individual configuration, less administrative and IT support, result in greater potential for a system to drift out of control

• Must consider how to effectively address system security (applications on laptops go home and travel with people…applications on central servers generally don’t go anywhere).

• How will subsequent change control and configuration management be handled?

www.xybion.com

Risks • FDA investigators and industry auditors are

aware that spreadsheet systems generally have two major design deficiencies related to regulatory compliance…security and audit trail functions.

• IT staff or techie staff members try to mitigate these deficiencies by developing “workarounds”, but often these workarounds do not resolve the compliance deficiencies.

www.xybion.com

Risks• Software vendors recognized the spreadsheet

audit trail and security issues and have produced software products, which operate in tandem with spreadsheets to mitigate these design gaps

• Readily available, easy to install, relatively inexpensive, consistent solution

• Our webinar host, Xybion, produces such a product named Compliance Builder

www.xybion.com

Summary

• Spreadsheets are widely distributed and uniquely configured computerized systems

• Critical to business continuity• Regulatory agencies require these systems to be

validated for their intended use• Commercial products are available to mitigate

design gaps• Rumors do not replace regulations

www.xybion.com

Questions&

Discussions

www.xybion.com

Life Sciences Challenges

Life-SciencesCompanies

IT Governance

Financial Controls

SOX

Global RegulatoryPressure ..FDA …

OperationalEfficiency

www.xybion.com

Compliance Builder - Overview

Xybion is an acknowledged leader in providing enterprise solutions for Regulatory, Quality and Compliance (GRC) to Life Sciences industry.

ComplianceBuilder is one of the solutions from Xybion which helps address one of the core needs CFR Part 11 and related Compliance needs especially with the Life Science companies.

www.xybion.com

How does ComplianceBuilder help?Provides capabilities needed to meet requirements such as:

21 CFR Part 11, Sarbanes-Oxley

Monitors key data sources, such as: Files on Workstations or Servers Tables in Databases Process and Manufacturing

Equipments

www.xybion.com

ComplianceBuilder

Functionality available with 3 sub-systems

www.xybion.com

Thank You!

www.xybion.com